An Evil USB Drive Could Take Over Your PC Undetectably

Common USB malware relies on the autoplay mechanism to infect a PC. A new technique demonstrated at the Black Hat conference subverts the USB device's controller chip to create "a self-replicating USB virus not detectable with current defenses."

If you haven't turned off USB autoplay on your PC, it's conceivable that plugging in an infected USB drive could install malware on your system. The engineers whose uranium-purifying centrifuges were blown up by Stuxnet learned that the hard way. It turns out, though, that autoplay malware isn't the only way USB devices can be weaponized. At the Black Hat 2014 conference, two researchers from Berlin-based SRLabs revealed a technique for modifying a USB device's controller chip so it can "spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user." That sounds kind of bad, but in fact it's really, really dreadful.

Turn to the Dark Side "We're a hacking lab typically focused on embedded security," said researcher Karsten Noll, speaking to a packed room. "This is the first time we looked a computer security, with an embedded angle. How could USB be repurposed in malicious ways?"

Reseacher Jakob Lell jumped right into a demo. He plugged a USB drive into a Windows computer; it showed up as a drive, just as you'd expect. But a short while later, it redefined itself as a USB keyboard and issued a command that downloaded a remote access Trojan. That drew applause!

"We won't be talking about viruses in USB storage," said Noll. "Our technique works with an empty disk. You can even reformat it. This is not a Windows vulnerability that could be patched. We're focused on deployment, not on the Trojan."

Controlling the Controller "USB is very popular," said Noll. "Most (if not all) USB devices have a controller chip. You never interact with the chip, nor does the OS see it. But this controller is what 'talks USB.'"

The USB chip identifies its device type to the computer, and it can repeat this process at any time. Noll pointed out that there are valid reasons for one device to present itself as more than one, such as a webcam that has one driver for video and another for the attached microphone. And truly identifying USB drives is tough, because a serial number is optional and has no fixed format.

Lell walked through the precise steps taken by the team to reprogram the firmware on a specific type of USB controller. Briefly, they had to snoop the firmware update process, reverse engineer the firmware, and then create a modified version of the firmware containing their malicious code. "We did not break everything about USB," noted Noll. "We reverse-engineered two very popular controller chips. The first took maybe two month, the second one month."

Self-ReplicationFor the second demo, Lell inserted a brand-new blank USB drive into the infected PC from the first demo. The infected PC reprogrammed the blank USB drive's firmware, thereby replicating itself. Oh dear.

He next plugged the just-infected drive into a Linux notebook, where it visibly issued keyboard commands to load malicious code. Once again, the demo drew applause from the audience.

Stealing Passwords"That was a second example where one USB echoes another device type," said Noll, "but this is just the tip of the iceberg. For our next demo, we reprogrammed a USB 3 drive to be a device type that's harder to detect. Watch closely, it's almost impossible to see."

Indeed, I couldn't detect the flickering of the network icon, but after the USB drive was plugged in, a new network showed up. Noll explained that the drive was now emulating an Ethernet connection, redirecting the computer's DNS lookup. Specifically, if the user visits the PayPal website, they'll be invisibly redirected to a password stealing site. Alas, the demo demons claimed this one; it didn't work.

Trust in USB"Let's discuss for a moment the trust we place in USB," said Noll. "It's popular because it's easy to use. Exchanging files via USB is better than using unencrypted email or cloud storage. USB has conquered the world. We know how to virus-scan a USB drive. We trust a USB keyboard even more. This research breaks down that trust."

"It's not just the situation where somebody gives you a USB," he continued. "Just attaching the device to your computer could infect it. For one last demo, we'll use the easiest USB attacker, an Android phone."

"Let's just attach this standard Android phone to the computer," said Lell, "and see what happens. Oh, suddenly there is an additional network device. Let's go to PayPal and log in. There's no error message, nothing. But we captured the username and password!" This time, the applause was thunderous.

"Will you detect that the Android phone turned into an Ethernet device?" asked Noll. "Does your device control or data loss prevention software detect it? In our experience, most do not. And most focus only on USB storage, not on other device types."

The Return of the Boot Sector Infector "The BIOS does a different type of USB enumeration than the operating system," said Noll. "We can take advantage of that with a device that emulates two drives and a keyboard. The operating system will only ever see one drive. The second only appears to the BIOS, which will boot from it if configured to do so. If it's not, we can send whatever keystroke, maybe F12, to enable booting from the device."

Noll pointed out that the rootkit code loads before the operating system, and that it can infect other USB drives. "It's the perfect deployment for a virus," he said. "It's already running on the computer before any antivirus can load. It's the return of the boot sector virus."

What Can Be Done? Noll pointed out that it would be extremely difficult to remove a virus residing in the USB firmware. Get it out of the USB flash drive, it could reinfect from your USB keyboard. Even the USB devices built into your PC could be infected.

"Unfortunately, there no simple solution. Almost all our ideas for protection would interfere with the usefulness of USB," said Noll. "Could you whitelist trusted USB devices? Well, you could if USB devices were uniquely identifiable, but they're not."

"You could block USB altogether, but that impacts usability," he continued. "You could block critical device types, but even very basic classes can be abused. Remove those and there's not much left. How about scanning for malware? Unfortunately, in order to read the firmware you must rely on functions of the firmware itself, so a malicious firmware could spoof a legitimate one."

"In other situations, vendors block malicious firmware updates using digital signatures," said Noll. "But secure cryptography is tough to implement on small controllers. In any case, billions of existing devices remain vulnerable."

"The one workable idea we came up with was to disable firmware updates at the factory," said Noll. "The very last step, you make it so the firmware can't be reprogrammed. You could even fix it in software. Burn one new firmware upgrade that blocks all further updates. We could conquer back a little of the sphere of trusted USB devices."

Noll wrapped up by pointing out some positive uses for the controller-modification technique described here. "There's a case to be made for people playing around with this," he said, "but not in trusted environments." I, for one, will never look at any USB device the way I used to.

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips...
More »